Bug 460 – sudo ignores timelimit and hangs if slapd hangs

Bug 460 - sudo ignores timelimit and hangs if slapd hangs


Summary:	sudo ignores timelimit and hangs if slapd hangs

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.7.4
Hardware:	PC Linux

Importance:	low high
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2011-01-10 07:32 MST by Juergen Sprenger
Modified:	2011-01-12 06:25 MST (History)
CC List:	0 users

See Also:

Attachments
Implement suport for the ldap.conf TIMEOUT option (7.01 KB, patch) 2011-01-11 10:18 MST, Todd C. Miller	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Juergen Sprenger 2011-01-10 07:32:04 MST

sudo ignores timelimit option and waits forever if configured using ldap and ldap server hangs.

timelimit from ldap.conf and ldap.conf.sudo is ignored as can be seen by strace output, all timeouts had beens set to 3s in ldap.conf and ldap.conf.sudo:

ldapsearch (correct behaviour, ending after 3s timeout):
gettimeofday({1294662432, 883282}, NULL) = 0
poll([{fd=3, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, 3000) = 0 (Timeout)
write(2, "ldap_result: Timed out (-5)\n", 28ldap_result: Timed out (-5)
) = 28
exit_group(-2)                          = ?

sudo (waiting forever):
write(5, "0\f\2\1\1`\7\2\1\3\4\0\200\0", 14) = 14
poll([{fd=5, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, -1

This will cause all jobs using sudo to hang.

Comment 1 Todd C. Miller 2011-01-10 09:16:53 MST

Do you get the same results with bind_timelimit=3 set in ldap.conf.sudo?  This corresponds to OpenLDAP's NETWORK_TIMEOUT option which I believe is the one you want. If you set sudo_debug=1 in ldap.conf.sudo it will display the LDAP configuration values that sudo has parsed from the config file.

Comment 2 Juergen Sprenger 2011-01-11 02:51:21 MST

The configuration value bind_timelimit is parsed and works correct if slapd is down, but the configuration values timeout and timelimit are not used.

TIMEOUT <integer>
Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs will abort if no response  is  received.
Also used for any ldap_result(3) calls where a NULL timeout parameter is supplied.

So if slapd accepts connection requests but does not supply an answer because it hangs, then sudo will wait forever. We can reproduce that using an Openldap server under Solaris using 'pstop' on the slapd server process. Sudo will hang until slapd is continued using 'prun'.

sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 3
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 6)
--> now sudo will wait until it gets a response from slapd or slapd is restarted.

Comment 3 Todd C. Miller 2011-01-11 10:18:45 MST

Created attachment 298 [details]
Implement suport for the ldap.conf TIMEOUT option

Sudo 1.7.4 doesn't support OpenLDAP's TIMEOUT option which is probably the root of the problem.  Mozilla-derived LDAP SDKs don't support this option but we can emulate it by passing the timeout to ldap_search_ext_s(). I've added support for this which will be in sudo 1.7.5 and have attached a patch to back-port support for sudo 1.7.4.  Please give it a try.

Comment 4 Juergen Sprenger 2011-01-12 06:25:32 MST

Problem solved with patch for Linux.
Will now check with other OSs in our environment.

Thanks for immediate response. Great work.